Tracking kids’ online activities just got a lot harder

The U.S. Federal Trade Commission today officially expanded a children’s online privacy law to make it more difficult for companies to track children across the Web and through Internet-connected devices, like smartphones and tablets.

Changes to the Children’s Online Privacy Protection Act (COPPA), a law enacted more than a decade ago, were first proposed by the FTC in 2010. The new rules have since undergone rounds of revisions based on feedback from citizens, children’s advocacy groups, and the Internet companies that must abide by the new injunctions.

Companies like Disney and Facebook have fought to limit the scope of the changes, arguing that certain restrictions could curb innovation. The new so-called COPPA Rule includes both greater protections for children, as well as ways for companies to more easily abide by the rules.

“The Commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” said FTC Chairman Jon Leibowitz in a statement. “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”

Language in the updated COPPA Rule now explicitly prohibits companies from collecting photos, videos, and geolocation data connected to children under the age of 13 without parental consent. A “loophole” has been closed that allowed websites that target kids to share collected data with third parties. Children’s data may now only be shared with third parties that are “capable of maintaining the confidentiality, security, and integrity of such information.”

The new COPPA Rule also prohibits some unapproved uses of tracking mechanisms, like cookies, as well as “persistent identifiers” – things like usernames, IP addresses, and device IDs – which can be used to track kids’ activities across websites, online games, and mobile apps. Companies do not have to obtain parental consent for the use of persistent identifiers if the data collected is used for “internal” purposes, which includes serving “contextual ads.”

Social plugins, such as Facebook’s “Like” button and online advertisements, are not prohibited, unless the company has “actual knowledge that they are collecting information through a child-directed website or online service,” according to the FTC’s announcement.

The FTC also expanded ways in which parents can provide companies with consent, including “electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria.”

Parents may also provide a company with consent via email, as long as the data collected about their child is only used internally.

Both the Common Sense Media and the Center for Digital Democracy, the main two advocacy groups in support of the updates to COPPA, have praised the changes as a win for parents and kids.

“Parents – not social networks or marketers – will remain the gatekeepers when it comes to their children’s privacy not only online, but also on phones,” said Common Sense Media CEO James Steyer in a statement. “What’s more, these updates to COPPA effectively balance growing privacy concerns and the paramount rights of children and families with the tech industry’s need to innovate.”

Adoption of the changes to COPPA follow a study (PDF) by the FTC that found that a significant portion of mobile apps were collecting personal data about children without consent, as well as calls from privacy advocates for the FTC to investigate the “SpongeBob SquarePants” mobile app from Nickelodeon.